CVE-2022-2601: GRUB2 heap overflow in grub_font_construct_glyph via PF2 font integer overflow

CVE-2022-2601 is a heap buffer overflow in GRUB2's font rendering pipeline when processing crafted PF2 font files. The vulnerability is in grub_font_construct_glyph() in grub-core/font/font.c (lines 1501-1564).

The root cause is an integer overflow in the computation of max_glyph_size:

max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2;

bounds is of type struct grub_video_signed_rect which has unsigned width and unsigned height (both 32-bit unsigned). These accumulate the total dimensions of the main glyph plus all combining glyphs. With a crafted PF2 font containing many GRUB_UNICODE_COMB_ATTACHED_ABOVE_RIGHT combining characters (each with width up to 65535), bounds.width can exceed 65535, and bounds.width * bounds.height can overflow 32-bit unsigned arithmetic and wrap to a small value. This causes:

1. max_glyph_size computed as a small value (e.g., 16434 bytes)
2. A tiny heap buffer allocated for glyph
3. glyph->width = bounds.width is truncated to grub_uint16_t (e.g., still 65535 after truncation)
4. grub_font_blit_glyph() uses target->width * (dy + i) + dx to index into target->bitmap, writing up to 512MB of glyph data into the tiny 16KB buffer → heap overflow

This allows an attacker to bypass Secure Boot by providing a malicious PF2 font file that triggers the heap overflow, enabling arbitrary code execution in the bootloader.